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DETAILED ACTION 

This office action is responsive to amendment filed on 10/04/2004. 

Response to Amendment 

The examiner has acknowledged the amended claims 1 1 , 14, 22 - 29, and 32 - 
34, and the new abstract. 

Response to Arguments 

Applicant's arguments with respect to claims 1 - 34 have been considered but are 
moot in view of the new ground(s) of rejection. 

Claim Rejections • 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 

obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

Claims 1 1 - 34 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Brown et al (US 5,941 ,947; hereinafter Brown) in view of Hudson et al (US 6,055,637; 
hereinafter Hudson). 

Regarding claims 1 1 - 1 3 and 29 - 31 , Brown teaches a method for controlling 
access to a requestor to resources in a distributed computer system (fig. 1) comprising 
defining conditions for obtaining a right to a resource, assigning to the requester an 
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access control list based on user's access rights, defining a part of a set of resources 
that is accessible by a validity domain, and utilizing the validity domain to restrict the 
resources accessible for the user to only part of the resources (col. 1 , lines 27 - 56; col. 
2, lines 46 - 57; paragraph bridging col. 15, line 38 through col. 16, line 67). Claim 29 
adds the limitation of a software module for controlling access by a requestor to 
resources (col. 6, lines 18-31; col. 31, lines 30 - 42). 

Brown teaches substantially all the limitations, but fails to specifically teach that 
such method for controlling access to a requestor to resources in a distributed computer 
system is based on assigned role(s) to user(s); wherein the role overlaying one or more 
privileges and capable of being assigned to a plurality of requestors. 

However, Hudson teaches, in the same filed of endeavor, a resource access 
control system and method for a corporate enterprise includes a security administrator 
in communication with a plurality of users, each of the users having an assigned role 
and a unique user identifier wherein the role overlaying one or more privileges and 
capable of being assigned to a plurality of requestors (fig. 2; col. 3, lines 8 - 66; col. 5, 
lines 15-63). 

Thus, it would have been obvious to one of ordinary skill in the art at the time the 
invention was made to modify Brown's system and method by assigning a role to 
user(s), and role overlaying one or more privileges and capable of being assigned to a 
plurality of requestors for the purpose of allowing various resources not to store 
permanently information associated with all the users, and permitting user information to 
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be updated quickly and efficiently at local security administrator, thereby, preventing the 
integrity of the entire system of being compromised. 

Regarding claims 14-16 and 32 - 34. Brown and Hudson teach all the 
limitations, and Brown further teaches a method for controlling access to a requestor to 
resources in a distributed computer system (fig. 2A), which further comprises the steps 
of performing an access check on two levels: a first level check on the type of the 
resource; and a second level check on the identifier; wherein the first-level check 
verifies the existence of at least one entry of the access control list that satisfies 
conditions for obtaining a requested right of entry, and if, the right of entry exists, the 
existence of a validity domain for said entry; wherein the second-level check verifies, if a 
requested permission for right of entry contains a resource identifier, the existence of at 
least one configured permission corresponding to the requested permission and the 
value of the additional information relative to the need to consult the validity (fig, 3B; col. 
4, lines 40 - 65; col. 1 1 , lines 3 - 31 ; col. 1 9. lines 52 - 67). 

Regarding claims 17-21, Brown and Hudson teach all the limitations, and Brown 
further teaches a method for controlling access to a requestor to resources in a 
distributed computer system (fig. 2A), which further comprises the steps of grouping 
rights or resources into generic groups represented by special characters or keywords 
or other symbols (figs. 5A - 5B; col. 16, lines 55 - 67; col. 20, lines 53 - 63). 

Regarding claims 22 - 25, Brown teaches a device for controlling access by a 
requestor to interrogated resources in a distributed computer system (fig. 8), comprising 
at least one management machine organized into one or more networks said machine 
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having at least one calling entity, for designating actions executed by the requestor (fig. 
1; paragraph bridging col. 6, line 66 through col. 7, line 37), an application program 
interface for transmitting interrogations from the calling entity, an access control service 
for receiving said interrogations and controlling access of the requestors to the 
interrogated resources, storage means for storing access rights data, access control 
lists and validity domains and means for accessing the storage means (col. 3, lines 26 - 
44; col. 7, lines 48 - 60). 

Brown teaches substantially all the limitations, but fails to specifically teach that 
such storage means is for storing roles; wherein the roles overlaying one or more 
privileges and capable of being assigned to one or more requestors. 

However, Hudson teaches, in the same filed of endeavor, a resource access 
control system and method for a corporate enterprise includes a security administrator 
in communication with a plurality of users, which comprises a storage means for storing 
roles (col. 4, lines 50 - 64); wherein the roles overlaying one or more privileges and 
capable of being assigned to one or more requestors (fig. 2; col. 3, lines 8 - 66; col. 5, 
lines 15-63). 

Thus, it would have been obvious to one of ordinary skill in the art at the time the 
invention was made to modify Brown's system and method by incorporating a storage 
means for storing roles; wherein the roles overlaying one or more privileges and 
capable of being assigned to one or more requestors for the purpose of allowing various 
resources not to store permanently information associated with all the users, and 
permitting user information to be updated quickly and efficiently at local security 
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administrator, thereby, preventing the integrity of the entire system of being 
compromised. 

Regarding claims 26 - 28, Brown and Hudson teach all the limitations, and Brown 
further teaches a device for controlling access by a requestor to interrogated resources 
in a distributed computer system (fig, 8), further comprising means for performing an 
access check on two levels: a first-level check on the type of the resource; and a 
second-level check on the identifier of the resource (2d); wherein a first-level check 
verifies the existence of at least one entry of the access control list that satisfies 
conditions for obtaining a requested right of entry to a resource, and, if the entry exists, 
the existence of a validity domain for said entry; and wherein a second level check 
verifies if a requested right of entry to a resource contains a resource identifier, the 
existence of at least one configured permission corresponding to the requested right of 
entry and the value of additional information relative to the need to consult the validity 
domain (fig. 3B; col. 4, lines 40 - 65; col. 1 1 , lines 3 - 31 ; col. 1 9, lines 52 - 67). 

Conclusion 

The prior art made of record and not relied upon is considered pertinent to 
applicant's disclosure. 

Carter et al (US Patent Number 6,742,1 14) discloses a deputization in a 
distributed computing system. 
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Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Yves Dalencourt whose telephone number is (571 ) 272- 
3998. The examiner can normally be reached on M-TH 7:30AM - 6: 00PM. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ario Etienne can be reached on (571 ) 272-4001 . The fax phone number for 
the organization where this application or proceeding is assigned is 703-872-9306. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 

Yves Dalencourt 




